Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk not receiving any events from custom (scrip...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I created a windows executable which reads lines from a file and outputs to console and made Splunk run this - but I had no luck finding the results in my search. I am currently running a .bat file in my inputs.conf (which runs the .exe). I can see my script was added to the list of scripts but it does not seem to be working.
I am curious if writing to console is the right way to pass the data into Splunk. If it is where could I be wrong? Any help would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, your scripted input should write event out to the console aka
"stdout" (standard output). (Normally this is accomplised using a "print" or "echo" command, depending on your programming environment). Anything written to "stderr" (standard error) will also be stored in the _internal index because it's assumed to be an error message.
Finding your events within splunk will depend on your settings in your inputs.conf entry for your scripted input. Specifically the "index", "host", "source" and "sourcetype" settings will dictate where and how your events are stored by splunk. (You can always just search for a unique term that you know your scripted input will be writing out.) But I would recommend explicitly setting a source and sourcetype for your scripted input.
I would also suggest that you look in the internal index for any errors. Try the following search:
index=_internal sourcetype=splunkd ExecProcessor
This should give you a starting point as to what errors (if any) have being encountered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, your scripted input should write event out to the console aka
"stdout" (standard output). (Normally this is accomplised using a "print" or "echo" command, depending on your programming environment). Anything written to "stderr" (standard error) will also be stored in the _internal index because it's assumed to be an error message.
Finding your events within splunk will depend on your settings in your inputs.conf entry for your scripted input. Specifically the "index", "host", "source" and "sourcetype" settings will dictate where and how your events are stored by splunk. (You can always just search for a unique term that you know your scripted input will be writing out.) But I would recommend explicitly setting a source and sourcetype for your scripted input.
I would also suggest that you look in the internal index for any errors. Try the following search:
index=_internal sourcetype=splunkd ExecProcessor
This should give you a starting point as to what errors (if any) have being encountered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cool cool everything good to go now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pretty much everything that you do configure from the UI simply generates a config file entry. So you should be able to find your scripted input in one of the inputs.conf files on your system. (Check various local directories.) There is also something in the docs called "How config files work" (or something like that) I would recommend that you read that if your new to splunk and it's config files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply! I actually got it going now. I have another question though, is it possible to edit sourcetype and all through the inputs.conf or props.conf even though you added the script through Manager -> Data Inputs -> Scripts? The splunk documentation (http://www.splunk.com/base/Documentation/4.1.3/Admin/Setupcustom(scripted)inputs) shows you two ways to do it and my impression was that you have to work one way or the other and not get the mixed up.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
